NAC framework NAC-L2-802.1x, CTA 2.1, CSSC, ACS 4.2 not working???
Hi
I'm trying to setup my first crack at the NAC framework, using NAC-L2-802.1x. For this, the equipment I'm using is;
Cisco 2950 switch (IOS /c2950-i6q4l2-mz.121-22.EA11.bin)
Cisco 1811 router (inter-vlan routing)
Cisco Secure ACS (90 day trial) 4.2
CTA 2.1.103
CSSC 5.1.0.39
Windows XP SP3 client machine
So I've tried to follow the Network Admission Control Framework Guide for the NAC-L2-802.1x section and all seems to have gone as laid out in the document, except when I get to the point where I actually test the config by bringing up the client port. I do the 'no shut' on the port, the light on the switch port goes amber and the CSSC client says its waiting for an ip address, it never pops up asking for credentials as shown in that document. I check the RADIUS server logs and there is no passes or fails for this host. I know RADIUS is working from this switch as I have it setup for login authentication which works just fine. I am completely stumped and the only thing I can think of is trying to install a full certificate server and going that way, instead of the Self Signed Cert which CSACS has generated and I've copied the .cer file to the client and installed it and verified it is installed with the Certificates MMC. Please, somebody provide some better reading on this matter, or some assistance. Thanks very much.
Jason
aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
dot1x system-auth-control
Client port;
interface FastEthernet0/1
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period server
dot1x reauthentication
You can refer to the below URL for future reference:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/nac.html
http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html
Similar Messages
-
802.n software update for MBP 2.33Ghy does not work
Please help: after downloading the 802.n enabler from apple I want to install it on mz 2.33ghz MBP. the program sazs that I do not have the correct hardware to do that.
can ´t all Intel Core 2 duo notebooks from apple be updated via that software ?????#
what do I do wrong ????
thanks
michaelThe best SATA/RAID driver for nForce3 is the 4.79 version which is part of the "unified" 6.37Beta pack which nVidia attempted to do when nForce4 first came out, before they decided to abandon any further attempt at a unified driver pack. I found it from a file named nv_raid_nv11.zip at MSI's download site but it's been long gone. You can still get the full pack here: http://downloads.guru3d.com/nForce-6.37-Beta-Drivers-download-971.html - just use the files from the IDE folder. I made a custom mix for myself from the nForce3 5.10 pack, replacing the IDE folders with the files from 6.37Beta - I've been using it with RAID-1 for 3 years now without a single incident.
-
NAC Framework NAC-L2-802.1x with Wireless AP1242AG?
Hi
Can anyone provide some info on setting up NAC-L2-802.1x with a Wireless AP1242AG (not using the NAC Appliance, but the Framework). I cant seem to find the equivalent dot1x port control auto commands on the access-point. Thanks
JasonNAC assesses the state, or posture, of a host to prevent unauthorized or vulnerable endpoints from accessing the network. Enforcement is performed through an authorization policy that is centrally defined on a single ACS server or delegated to multiple NAC posture validation servers
-
NAC Framework - NAC-L2-802.1x without CSSC client?
Hi
I'm just wondering if it is possible to do NAC-L2-802.1x without the use of the CSSC client? I've managed to get this working with the CSSC client with no problems, but have been having nothing but problems trying to get this working without. This client software is pretty expensive and if it is possible to get around using it, that'd be great. Thanks for any info.
JasonYou can do 802.1x without CSSC, you cannot support remediation without it however. 802.1x by itself allows you authentication, and dynamic VLAN assignment.
-
NAC-L2-802.1x with 7940 IP Phones and builtin swithport?
Hi
I've got the NAC Framework, NAC-L2-802.1x working in a test LAB with network hosts (PCs) connected directly to the L2 switch. In our production environment, we have Cisco 7940 IP phones on every desk, and the PCs connect to the switchport on the back of these phones. How would one configure NAC-L2-802.1x to work in a setup like this? I've done quite a bit of searching on Cisco and only found this reference to IP phones and NAC;
IP Telephone and Device Mobility
The computer connected to the PC port on an IP phone will get posture validated successfully.
It does not help much...
Thanks very much.
JasonYou have 2 choices:
1) Ignore the phones based on CDP. You get this be just configuring 802.1X along with a VVID. Here's an example port config from a 3750:
interface GigabitEthernet1/0/2
description endpoints
switchport access vlan 2
switchport mode access
switchport voice vlan 200
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x port-control auto
spanning-tree portfast
spanning-tree bpduguard enable
ip verify source
ip dhcp snooping limit rate 10
The config above will allow a Cisco phone in "for free" just b/c it can do CDP.
2) Authenticate IP phones via 1X or MAC-Authentication for phones that cannot support 1X. This would be the same config as above, with the addition of this line:
dot1x host-mode multi-domain
And if your IP phone cannot do 1X (for example the 7940 cannot) then you'll need to check it's MAC for entry into the network by adding this line:
dot1x mac-auth-bypass
Hope this helps, -
NAC L2 802.1x (wireless)
Can somebody advice me - where i can find information about configuring NAC L2 802.1x on wireless AP 1200 series? Or can somebody show me example of configuration file? I have found configuration guide only about wired solutions (configuring NAC L2 IP and NAC 802.1x on switch).
Thank you in advance!For NAC implementation with wireless access points, the implementation is the same as the switch wired Layer 2 802.1x implementation for network admission control. The only difference is that you will need to use a third party NAC-enabled supplicant such as Meetinghouse for your wireless devices.
sample config on AP
aaa new-model
aaa authentication eou default group radius
aaa session-id common
radius-server host 10.100.100.100 auth-port 1645 acct-port 1646
radius-server key cisco123
radius-server vsa send authentication #Enable VSAs
ip radius source-interface FastEthernet0/0
ip admission name NAC-L2-IP eapoudp #Define NAC policy
ip admission name NAC-L2-IP-Bypass eapoudp bypass #
ip admission name NAC-L3-IP eapoudp1 list EoU-ACL #Define NAC trigger, routers only
ip access-list extended EoU-ACL
deny udp any any eq domain #allow DNS to bypass NAC
deny tcp any host 10.100.100.101 eq www #allow HTTP to bypass NAC
permit ip any any #all other traffic triggers
ip access-list extended Interface-ACL
permit udp any any eq 21862 #permit EAPoUDP
permit udp any eq bootpc any eq bootps #permit DHCP
Refer these links:
http://www.cisco.com/en/US/netsol/ns617/netbr0900aecd80355b2f.html
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a0080606cbe.html#wp1072071 -
NAC L2 802.1X: Windows Logon Problem
Using CTA 4.0.2, ACS SE 4.x, and Windows AD the following occurs:
1. When login to WindowsXP using Local Account, then CTA prompts its login. I can then put the AD account. This process works!
2. When login to WindowsXP using AD Account, the error msg "domain xyz is not available", so the CTA prompt never come-up
3. When login to WindowsXP using "CACHED" AD Account, then CTA prompts its login. I can then put the AD account. This process works also!
4. Using Single Sign-on with "Never Validate Server", #2 and #3 occured.
Any input is very appreciated. Cisco TAC has been notified.
thanks,
Audie
703-292-5316Hi all,
I have the exact same problem.
I have just upgraded my ACS to 4.1 but that didnt help on the problem.
You write "CTA 4.0.2"....I suppose you mean 2.0.x ?
Did you guys do anything extra on the ACS to get this to work ?
Kind regards
KDam -
NAC L2-IP on 6500 . URL Redirection Not working
Hi,
We are testing NAC L2-IP on a Cat 6506 running 12.2(18)SXF9.
When configuring for NAC L2-IP, the switch is able to download the required ACL
entries. The HTTP Server is enabled in the Switch, however still the HTTP
redirection is Not working.
From the Client side, I can see the SYN packets going to port 80 but no
response (Redirect etc) comes back from the switch.
This is the Port-ACL
10 permit udp any eq 21862 any
11 permit icmp any any echo-reply
20 permit udp any any eq bootps
30 permit udp any any eq domain
40 permit tcp any eq 3389 any
50 deny ip any any
This is the ACL as specified in the "url-redirect-acl" attribute
70 deny tcp any host 10.140.4.116 eq www
80 deny tcp any host 10.140.4.202 eq www
90 deny tcp any host 10.1.194.15 eq www
100 deny tcp any host 172.25.1.15 eq www
110 permit tcp any any eq www
Any ideas ?
+++++++++++++++++
show eou ip 10.192.99.27
Address : 10.192.99.27
MAC Address : 0006.5ba0.5705
Interface : FastEthernet2/47
AuthType : CLIENTLESS
Audit Session ID : 0000002C1387D1FB0000000D0AC0631B
PostureToken : -------
Age(min) : 15
URL Redirect : http://x.x.x/y
URL Redirect ACL : redirect-policy
ACL Name : #ACSACL#-IP-NAC_NoCTA_ACL-464b3186
User Name : UNKNOWN USER
Revalidation Period : 36000 Seconds
Status Query Period : 300 Seconds
Current State : CLIENTLESS
++++++++++++++++++++++++++++++++
Exactly the Same configuration and Secure ACS configuration works for a 3560 Switch.
Thanks,
NamanCheck this bug-id: CSCse02269.
-
NAC guest server hangs and guest portal is not working
Hi all ,
Our guest nac server NAC3315 is oftenly getting hung state . And our guest wireless network is not working . We are able to ping the NAC server but web page is not opening for the clients if they connected to guest network.
Any clue on this ....
Thanks!,
Regards,
Vijay.All actions within the Cisco NAC Guest Server are logged into the database. This enables you to see any action that occurred as part of the normal operating process of the application.
To access the system log from the administration interface select Server > System Log from the left hand menu
Please check the Error Logs for troubleshooting of NGS -
NAC OOB logoff feature not working
Hi all,
I've deployed NAC in L2 OOB VG mode with ADSSO and I'm trying to use the OOB logoff feature but it's not working. The VLAN change detect feature doesn't work either (I think the two problems might be related).
It will work if each user role is assigned a different auth/access VLAN pair but in my setup, everyone has a common auth vlan and separate role-based access vlans. Because of this, I have to use the IP refresh feature as well (this works fine).
I'm running Windows Vista and version 4.8.0 of the NAC software with version 4.8.1.5 of the agent
I checked the release notes and found that caveat CSCth60233 identifies this bug with the VLAN change detect with the workaround being to refresh the IP address automatically after being logged out. Does anyone know of a workaround for this problem to do this automatically? Is a solution for this problem in the works?
Also would anyone be able to help me with my OOB logoff feature not working? I've configured everything according to the documentation.
I appreciate your responses
~XavierHere are my configs if necessary. Tell me if anything else is needed.
User Management > User Roles
List of Roles
Edit Role
Traffic Control
Bandwidth
Schedule
Disable this role
Role Name
Role Description
Role Type
Normal Login Role Quarantine Role
*Max Sessions per User Account ( Case-Insensitive Session Identifiers )
(1 – 255; 0 for unlimited)
Retag Trusted-side Egress Traffic with VLAN (In-Band)
(0 – 4095, or leave it blank)(*This option has been deprecated, and it will be removed in upcoming releases)
*Out-of-Band User Role VLAN
VLAN ID VLAN Name (if left blank, it will default to the default access vlan settings in the Port Profile)
*Bounce Switch Port After Login (OOB)
Enable Disable (This option is effective only when port profile is set to use it)
*Refresh IP After Login (OOB)
Enable Disable (This option only applies to L2 OOB Virtual Gateway with Role VLAN as Access VLAN and switch port is NOT bounced after VLAN change)
*After Successful Login Redirect to
previously requested URL
this URL:
(e.g. http://www.cisco.com/)
Redirect Blocked Requests to
default access blocked page
this URL or HTML message:
*Show Logged-on Users
User info
Logout button
Enable Passive Re-assessment (To enable Passive Re-assessment for OOB Agent connections, you must also enable the OOB Logoff option at Device Management > Clean Access > General Setup > Agent Login.)
Re-assessment Interval
(Minimum of 60 minutes and maximum of 1440 minutes [24 hours])
Grace Timer
(Minimum of 5 minutes and maximum of 30 minutes)
Default action on failure
Continue Allow user to remediate Logoff user immediately
(*only applies to normal login role)
Device Management > Clean Access
Certified Devices
General Setup
Network Scanner
Clean Access Agent
Updates
Web Login · Agent Login
User Role
Unauthenticated Role(not common) role_engineer role_developer role_admin role_sales role_guest
Operating System
ALL WINDOWS_ALL WINDOWS_XP WINDOWS_VISTA_ALL WINDOWS_7_ALL MAC_ALL MAC_OSX LINUX FREEBSD SOLARIS_ALL SOLARIS_86 SOLARIS_SPARC UNIX VMS OS2 PALM
(By default, 'ALL' settings apply to all client operating systems if no OS-specific settings are specified.)
Enable OOB logoff for Windows NAC Agent and Mac OS X Agent (This global option applies to all OOB CASs and user roles and enables Agent logout and heartbeat timers for OOB Agent connections. You must also enable this option for Passive Re-assessment to function with OOB Agent connections.)
Require use of Agent
(for Windows & Macintosh OSX only)
Agent Download Page Message (or URL):
Network Security Notice: This network is protected by a Cisco NAC Appliance Agent, a component of the Cisco NAC Appliance Suite. The Agent ensures that your computer meets the requirements for accessing this network, and helps you keep your computer secure and up-to-date.
Please use the Agent to log in to the network.
If you don't have the Agent software yet, download it by clicking the button below. After downloading the installation file, run it to complete the installation.
If you have already downloaded and installed the Agent, please close this window and right-click the Agent icon in the system tray and choose Login from the menu. Enter your usual network user name and password in the login window.
Require use of Cisco NAC Web Agent (for Windows only)
Cisco NAC Web Agent Launch Page Message (or URL):
Network Security Notice: This network is protected by the Cisco NAC Web Agent, a component of the Cisco NAC Appliance Suite. The Cisco NAC Web Agent ensures that your computer meets the requirements for accessing this network, and helps you keep your computer secure and up-to-date.
Please launch Cisco NAC Web Agent by clicking the button below.
Allow restricted network access in case user cannot use NAC Agent or Cisco NAC Web Agent
Restricted Access User Role:
role_engineer role_developer role_admin role_sales role_guest
Restricted Access Button Text:
Restricted Network Access Message:
Restricted Network Access: If you cannot use a Cisco NAC Appliance Agent, you can obtain restricted network access temporarily by clicking the button below.
Show Network Policy to NAC Agent and Cisco NAC Web Agent users (for Windows only)
Network Policy Link:
Logoff NAC Agent users from network on their machine logoff or shutdown after
secs (for Windows & In-Band setup, for OOB setup when OOB Logoff is enabled)
(Setting the time to zero secs will logout user immediately. Valid range: 0 - 300 secs.)
Refresh Windows domain group policy after login
(for Windows only)
Automatically close login success screen after
secs
(Setting the time to zero secs will not display the login success screen. Valid range: 0 - 300 secs.)
Automatically close logout success screen after
secs
(for Windows only)
(Setting the time to zero secs will not display the logout success screen. Valid range: 0 - 300 secs.) -
My DotNet application does not work after installing Framework 4.0 on My client PC
HI
I created application in Visual 2010 therefore I need framework 4.0 to work my application on client PC but it is still not working.
I have few forms in my application.
Form contact has controls Textbox, labels, button on it. (This form works fine absolutely )
Form Invoice has DatagridView, textbox, label,button . (This form is NOT working at all, give me an error)
Any bright suggestion will help me to NOT install whole carp of visual studio 2010 on my client pc and also save Space.
Thank you in advanceHi,
You don’t install VS2010 on the client PC, then where did the Form Invoice not work? When you run it from another version of VS? Or when you run the application with application.exe?
Based on your description, one form works well, another form does not. I assume that two forms are in two different projects, then please check the .Net Framework used by the two projects. If they are different, you can use the
one used by the Form contact for Form Invoice.
Because this issue is a project issue, I recommend you to consult it on some application forum such as Windows Forms General forum for better support.
VS General Question forum mainly discusses
the usage of Visual Studio IDE such as
WPF & SL designer, Visual Studio Guidance Automation Toolkit, Developer Documentation and Help
System and Visual Studio Editor.
Thanks,
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Audio captcha is not working in mac safari 5.1.7.
We used a code snippet that is working in other browser like IF 7,8,9, crome and firefox.
Audio refresh is also not happening.
When submit Audio Captcha then jcapcha framework giving InvocationTargetException.
<Edited By Host>Audio captcha is not working in mac safari 5.1.7.
We used a code snippet that is working in other browser like IF 7,8,9, crome and firefox.
Audio refresh is also not happening.
When submit Audio Captcha then jcapcha framework giving InvocationTargetException.
<Edited By Host> -
Ip phone is not working with 802.1x port
i can authenticate the pc using 802.1x, but its not working with ip phones...waiting for your kind reply..
The switch is 4006 and the image is cat OS 7.3(2).
The port configuration is
set radius server X.X.X.X
set radius key xxxxxx
set dot1x system-auth-control enable
set port dot1x 3/17 port-control auto
set port dot1x 3/17 initialize -
Windows 8.1 with Hyper-V external switch - 802.1x not working in host nor guest
Hi,
I have Windows 8.1 with installed Hyper-V and virtual machines connected via Hyper-V Switch - External. 802.1x wired authentication is not working in host nor in guest machine (computer is not responding to switch requests). If I will change switch mode
to Internal/Private it will start working.
Do you have any idea how to get it working also in external mode?Hi,
What is the physical network configuration in your environment? Are you using wireless or wired connection?
We tested this issue as you described here, and the external switch is working fine.
Have you tried to delete the created switches and recreate one, test this issue again?
Yolanda Zhu
TechNet Community Support -
I have an airport express (802.11n) which download do I need to get it work on Windows 8.1?
That one doesn't work.
Verstuurd vanaf mijn iPhone
Op 19 nov. 2014 om 13:55 heeft "Apple Support Communities Updates" <[email protected]<mailto:[email protected]>> het volgende geschreven:
http://www.apple.com/support/assets/images/external/emails/logo.gif
You received a reply
Bob Timmons<https://discussions.apple.com/people/Bob+Timmons?ac_cid=op123456> has replied to your question. You can view the full discussion<https://discussions.apple.com/message/27128939?ac_cid=op123456#27128939> in Apple Support Communities.
I have an airport express (802.11n) which download do I need to get it work on Windows 8.1?<https://discussions.apple.com/message/27128939?ac_cid=op123456#27128939>
It has been some time since Apple updated AirPort Utility for Windows. The current version is 5.6.1.
It runs on Windows 7, but I have not checked on Windows 8.
AirPort Utility 5.6.1 for Windows<http://support.apple.com/kb/dl1547>
Correct Answer <https://discussions.apple.com/email/thread/6679920/correct/27128939> Helpful Answer <https://discussions.apple.com/email/thread/6679920/helpful/27128939>
Use the buttons above to tell Bob Timmons and the rest of the community if this reply solved your question or helped you get closer to finding a solution.
To reply to Bob Timmons, go to the discussion<https://discussions.apple.com/message/27128939?ac_cid=op123456#27128939> in Apple Support Communities.
You are receiving this email from Apple Support Communities. You can change your email preferences in your Apple Support Communities Profile<https://discussions.apple.com/user-preferences!input.jspa>.
TM and copyright © 2014 Apple Inc. 1 Infinite Loop, MS 96-DM. Cupertino, CA 95014.
All Rights Reserved<http://www.apple.com/legal/> | Privacy Policy<http://www.apple.com/legal/privacy/> | Terms of Use<https://discussions.apple.com/docs/DOC-5952> | Apple Support<http://www.apple.com/support/>
Maybe you are looking for
-
Adobe Prelude CC search function not working correctly?
Hey guys, In need of some help, I am using the "tag" feature in prelude CC, tagging clips with multiple words IE "Day One, Interview, Ben" When searching the footage the clips can be seen if I type the words "Day One" or "Ben" however if I type them
-
Convert .eps file to .jpg or .pdf
Hello, I'm using Adobe to deal with .eps files. My problem is to display graphic arts in "read only mode". That means when I'm done developing graphics in my .eps file, I want to display this graphics to other user without giving him option to edit i
-
Package com.bea.xml does not exist
Hello all, I would like to try the nice features of XMLBeans, but I am not able to import the package com.bea.xml in my first Java XMLBeans demo program, which I tried to create. The error message is "package com.bea.xml does not exist", even when th
-
Acrobat 3D Toolkit: Default Tessellation and other features
Very nice to explain those features like: - Default Tessellation - Grid Aspect Ratio - Maximum Length Edge - Planar Tolerance - Tessellation Tolerance on the help file (page 21-24). But how can I choose this features and how can I manipulate them?
-
My 2006 Duo Core Macbook has OS X 10.4.11. Can I upgrade this computer to Lion or do I need to buy a new one? Computer is in great shape and would like to keep it. Any info would be awesome. Thanks! Dave